04-11-2019 01:58 PM - edited 04-11-2019 01:58 PM
Our company has recently been implementing Cisco Jabber, but recently have ran into an issue due to our unique setup.
Our company has 2 domains that are 2-way trusted. We have found out that we need to create an AD LDS instance to support authentication within CUCM for our 2 domains. In our current setup, Domain 1 uses the sAMAccountName as the LDAP Attribute for User ID, using the Microsoft Active Directory as the LDAP Server Type.
We know we need to setup the AD LDS instance, but we can't use the sAMAccountName as the LDAP Attribute for User ID, because between the 2 domains, there is multiple instances where the sAMAccountName is the same on both domains, thus not making it unique. What is unique is the email attribute field we could use. The big question is though, what would happen to all the current user accounts within CUCM if we changed the LDAP Attribute for User ID field from sAMAccountName to the email attribute. Trying to put together the picture how much work this would be, what could possibly break, etc.
In Domain 1, users have Cisco phones, voicemail, and Cisco Jabber as the tools they have. Our current version of CUCM is 11.5.1.12900-21. Let me know if any other information is needed to help with this issue.
04-11-2019 03:28 PM
You would need to remove the LDAP sync, turn all your users into local users, then manually change the userID to the value you would use for the LDS integration, and finally enable the LDS integration so the userID matches the value in LDS, and they become LDAP active users.
With all other LDAP platforms, the attribute that is mapped to User ID is the key for that account in Unified CM. Changing that attribute in LDAP will result in a new user being created in Unified CM, and the original user will be marked inactive.
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab11/collab11/directry.html
04-12-2019 06:22 AM
You will want to use either UserPrincipalName or email as a unique attribute for the UserID. Here is a reason to go with UPN:
Since you are LDAP integrated on only one domain at the moment: if you change the UserID attribute mapping to UPN and re-sync, CUCM is smart enough to figure out which user is which and will change the current users to the new UPN UserID attribute. I've done this remapping from sAMAccountName to UPN in my lab using this method and know it works. (Note: You'll need to delete the LDAP Directory, change the mapping, recreate and LDAP Directory and re-sync.)
I haven't remapped from sAMAccountName to mail myself, so I don't know if the same would apply there.
After that you would need to re-delete the LDAP Directory, change the synchronization type to AD LDS, and then re-create the LDAP Directory for this first domain and re-sync and make sure it works. Then add the second domain's agreement.
Be safe and peform a backup. And try the procedure out in a lab first if you can. It's a big change.
Maren
04-17-2019 06:02 AM - edited 04-17-2019 08:09 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide